First published on CloudBlogs on Jul 12, 2017 by Enterprise Mobility + Security Team The rise of ransomware and its media presence in recent months has highlighted, perhaps now more than ever, the importance of robust security systems to detect and respond to devious and evolving threats. We know extortion via ransomware is an effective scare tactic – after all, victims can be of both consumer and commercial variants – and in all cases, attacks are evolving at a pace and frequency unparalleled by most other cybersecurity threats. Today, many strains of ransomware are searching for innovative and advanced ways to wreak the maximum amount of havoc possible to victims’ assets. As we are entering this new age of cybersecurity, we want to provide powerful tools that can deliver control back to you through strong detection and remediation capabilities. Today we will show how two products that are a part of the Enterprise Mobility + Security (EMS) suite – Microsoft Cloud App Security (MCAS) and Advanced Threat Analytics (ATA) – can help to protect users both in the cloud and on-premises through robust detection systems. We’ll walk through the malware detection capabilities of each product as part of your comprehensive, defense-in-depth security strategy.

Lessons from UEBA: Detection through abnormal user and file behavior

As a User and Entity Behavior Analytics (UEBA) product, ATA learns the behavior of users and other entities in an organization and builds a behavioral profile around these. When malicious software establishes a foothold in a network, and starts to spread from a compromised machine to other computers in the network, an abnormal behavior detection is raised. Why? A departure from the “norm” of activity for the account indicates a probability of compromise; this detection and alert informs the admin immediately. Similarly, Cloud App Security can detect abnormal file behavior across a tenant’s cloud applications. Cloud App Security will identify large amounts of deletions and file syncs across a short period of time; coupled with indications that files are ransomware encrypted (e.g., by file extension changes), the system will alert on these abnormalities through fully customizable activity policies. The speed of detection here is critical: since file deletion can be identified immediately, the chances of retrieving original files (which become immediately replaced by encrypted, ransomware-controlled files) are greatly increased. As ransomware evolves, we are noting a shift in encryption tactics – instead of using the well-known method of encrypting the first machine breached, some attackers are using the initial computer as a springboard to spread ransomware to any accessible machine in the network. Both Advanced Threat Analytics and Cloud App Security play important roles in this scenario: ATA to detect the compromised account used to spread the ransomware, and MCAS to detect the abnormal file behavior in cloud apps.

Behind the Anatomy of an Attack: Detection Through File and Protocol Abnormalities

Ransomware attackers can implement some network protocols (such as SMB/Kerberos) with only minor deviations from the normal implementation in an environment. These deviations may indicate the presence of an attacker attempting to leverage, or already successfully leveraging, compromised credentials. In some well-known ransomware campaigns, such deviations were noted. Advanced Threat Analytics detects these abnormalities in a user’s environment and alerts an admin immediately so that appropriate actions can be taken to protect the affected assets. Remember, it wouldn't be ransomware without a ransom note. As such, Cloud App Security file policies can be utilized to search for ransom notes in users’ cloud applications. When a ransom note is left behind, it usually details specific download instructions, navigation, and bitcoin payment terms. Using these types of indicators, Cloud App Security file policies can alert, for example, on the presence of .txt or .rtf or .html files that includes a combination of “.onion” and bitcoin, or Tor Browser and "ransom," in their construction. Cloud App Security threat detection also uses file policies to search for specific file extensions that are unique or non-standard. This can be as simple as a policy that looks for “.locky” or something more abstract such as “.xyz” or “.rofl”. Cloud App Security also delivers a built-in template for potential ransomware activity. This template is pre-populated with many of the most common extension types and is fully customizable. The policy template also allows governance actions to suspend suspect users, thereby mitigating the attack by preventing further encryption of most of the user's files that are in Office 365, Box, or Dropbox.